Cybersecurity Bill: Protecting Us From Attacks... Or Keeping Our Own Attacks Secret?

from the seems-quite-likely dept

We've been discussing the fight in the Senate over the latest version of the Cybersecurity Act. One of the things we mentioned is that, at 211-pages, it's quite likely there are a ton of little "easter egg" gems in there that the public doesn't want or need, but which we'll be stuck with -- and only discover way down the road. Paul Rosenzweig, over at the Lawfare Blog, may have turned up one of them, in trying to understand Section 706(d), which reads:

(d) DELAY OF NOTIFICATION AUTHORIZED FOR LAW ENFORCEMENT, NATIONAL SECURITY, OR HOMELAND SECURITY PURPOSES.—No civil or criminal cause of action shall lie or be maintained in any Federal or Statecourt against any entity, and any such action shall be dismissed promptly, for a failure to disclose a cybersecurity threat indicator if—

(1) the Attorney General or the Secretary determines that disclosure of a cybersecurity threat indicator would impede a civil or criminal investigation and submits a written request to delay notification for up to 30 days, except that the Attorney General or the Secretary may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary;

(2) the Secretary, the Attorney General, or the Director of National Intelligence determines that disclosure of a cybersecurity threat indicator would threaten national or homeland security and submits a written request to delay notification, except that the Secretary, the Attorney General, or the Director,may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary.

What's odd about this? Well, it suggests that it says that companies might not get in legal trouble if they don't disclose info. But, as we're constantly reminded, the whole point of the info sharing from companies in this bill is that it's voluntary. So there wouldn't be any cause of action generally when they choose not to share. But, as Rosenzweig thinks through it, there is another scenario where this could come into play: if a company wanted to share info but was stopped -- perhaps because that info implicated the US government itself:

I suppose there is another possibility as well – that they might want to stop temporarily the sharing of CTI when the threat being disclosed is one that has been created by .... Well, NSA. In fact, if you believe that, then the reason the government so much wants to be at the center of CTI sharing is not just to protect the public but also to protect its own methods.

This actually makes a fair amount of sense. Remember, the only two serious cases of digital attacks that we know of -- Stuxnet and Flame -- both appear to have originated from US government officials, and both eventually got out when security firms discovered their existence, and tried to make sense of the malware. So, perhaps part of the "urgency" in trying to pass this bill is to help silence researchers who discover what other malware the US government has put out itself!

Re:

Gun control, miniature SOPA-esque provisions, now this. It's pretty clear at this point that the bill was first presented as a version that "addressed" privacy concerns just so they could smuggle the really evil shit in there through amendments. Frankly, I am disgusted with these politicians (as if I wasn't already). Vast majority of them are pretty much soulless scum and all about the power.

it's definitely to keep secret the invasion of privacy being executed on our own people. any and all so-called security bills are meant to do the same thing with the addition of stopping the people from finding out what the government is really up to, so corrupt politicians and corporation execs can continue to line their own pockets at the expense of others.

Re:

Why is it silly? We know for a solid fact that the US government creates and distributes malware for use against entities it considers targets. It seems logical that they would want to take steps to keep any specific action a secret.

Re: Re: Re:

Remember, the only two serious cases of digital attacks that we know of -- Stuxnet and Flame -- both appear to have originated from US government officials, and both eventually got out when security firms discovered their existence, and tried to make sense of the malware.

A few things for sure, whoever wrote this section knows exactly what they want and most people wouldn't agree with it. It's meant to be obscure and hard to define - until put in action. Then we will know what they meant.

Re: Re: Re:

The US government is lawless and rogue. They like to dot their "i"s and cross their "t"s legislatively, but let's not forget that if they are just as happy to ignore, twist and abuse the law if it happens to be inconvenient to follow it in good faith.

Any time they get a case they don't quite know what to do with it seems it always comes back to a national security issue.

I would like to remind readers that not to long ago, the US military claimed that a cyber attack was the same as provocation for war. In essence the US has through the release of cyber attacks already declared war on Iran.